How do I code Citrix web sites to use a Secure Gateway (CSG)?

Question

I'm using Citrix's sample code as a base and trying to get it to generate ICA files that direct the client to use their Secure Gateway (CSG) provider. My configuration is that the ICA file's server address is replaced with a CSG ticket and traffic is forced to go to the CSG.

The challenge is that both the Citrix App Server (that's providing the ICA session on 1494) and the CSG have to coordinate through a Secure Ticket Authority (STA). That means that my code needs to talk to the STA as it creates the ICA file because STA holds a ticket that the CSG needs embedded into the ICA file. Confusing? Sure! But it's much more secure.

The pre-CSG code looks like this:

AppLaunchInfo launchInfo = (AppLaunchInfo)userContext.launchApp(appID, new AppLaunchParams(ClientType.ICA_30));
ICAFile icaFile = userContext.convertToICAFile(launchInfo, null, null);

I tried to the SSLEnabled information to the ICA generation, but it was not enough. here's that code:

launchInfo.setSSLEnabled(true);
launchInfo.setSSLAddress(new ServiceAddress("CSG URL", 443));

Now, it looks like I need to register the STA when I configure my farm:

ConnectionRoutingPolicy policy = config.getDMZRoutingPolicy();
policy.getRules().clear();

//Set the Secure Ticketing Authorities (STAs).
STAGroup STAgr = new STAGroup();
STAgr.addSTAURL(@"http://CitrixAppServerURL/scripts/ctxsta.dll");

//creat Secure Gateway conenction
SGConnectionRoute SGRoute = new SGConnectionRoute(@"https://CSGURL");
SGRoute.setUseSessionReliability(false);
SGRoute.setGatewayPort(80);
SGRoute.setTicketAuthorities(STAgr);
// add the SGRoute to the policy
policy.setDefault(SGRoute);

This is based on code I found on the Citrix Forums; however, it breaks my ability to connect with the Farm and get my application list!

Can someone point me to an example of code that works? Or a reference document?

Answer 1

The code in the question is basically right, but I was trying too hard to inject configuration into the launching ICA generator.

Note: Using the WebInterface.conf file for guidance is a good way to determine the right config settings. Even if the code is right, the configuration is very touchy!

Most of the Citrix Secure Gateway (CSG) / Secure Ticket Authority (STA) magic happens when the policy for the initial connection to the farm is established. Specifically, in Global.asax.cs, you must have the following blocks of code:

1) you must have a valid STAGroup:

//Set the Secure Ticketing Authorities (STAs).
STAGroup STAgr = new STAGroup();
STAgr.addSTAURL(@"http://[STA URL]/scripts/ctxsta.dll");

2) the you must create a CSG connection (with the STA mapped):

 //create Secure Gateway conenction
 SGConnectionRoute SGRoute = new SGConnectionRoute(@"[CSG FQDN without HTTPS]");
 SGRoute.setUseSessionReliability(false);
 SGRoute.setGatewayPort(443);
 SGRoute.setTicketAuthorities(STAgr);

3) you need to set the policy default

 // Create a DMZ routing policy
 ConnectionRoutingPolicy policy = config.getDMZRoutingPolicy();
 policy.getRules().clear();
 policy.setDefault(SGRoute);

4) you need to tell the launchInfo that you want to be CGP enabled:

launchInfo.setCGPEnabled(true);

WARNING: The SSL enabled as a red herring.

Answer 2

There's another way to do this that is cleaner and more configurable. The code can be setup to use the webinterface.conf file that the default Citrix Web Interface uses.

The following code should replace all of the farmConfig, STAGroup, ConnectionRoutinePolcy, mess in the above sample.

InputStream inputStream = new FileInputStream(@"C:\temp\WebInterface.conf");
CtxConfig configInput = new CtxConfig(inputStream);
Map settingsMap = configInput.getSettingsMap();
WIConfiguration wiConfiguration = ConfigurationParser.buildWIConfiguration(settingsMap);

com.citrix.wing.config.Configuration config = new com.citrix.wing.config.Configuration();
config.setGlobalConfig(wiConfiguration.getGlobalConfig());
config.setMPSFarmConfigs(wiConfiguration.getMPSFarmConfigs());
config.setDMZRoutingPolicy(wiConfiguration.getDMZRoutingPolicy());
config.setClientProxyPolicy(wiConfiguration.getClientProxyPolicy());

// Create a StaticEnvironmentAdaptor instance.
WIASPNetStaticAdaptor staticEnvAdaptor = new WIASPNetStaticAdaptor(this);

// Create a WebPNBuilder instance.
WebPNBuilder builder = WebPNBuilder.getInstance();
Application["WebPNBuilder"] = builder;

// Create a WebPN instance from the configuration.
WebPN webPN = builder.createWebPN(config, staticEnvAdaptor);
Application["WebPN"] = webPN;

Answer 3

Another note on this problem from using the JICA client with an internal certificate (non-trusted root).

The JICA client does not let you accept a certificate from a non-trusted root, so it was required to add the certificate to the Java CA store. Adding it to the Windows store does not do any good!

Get your dev root CA, then navigate to bin directory of the latest Java install (typically, under c:\program files\java\jre*** )

Execute the following command:

keytool -import -trustcacerts -keystore "..\lib\security\cacerts" -file "c:\temp\root.cer" -alias myroot

I'll let you Google for the password because your supposed to changeit [sic].